On Thursday, 2001/07/26 at 19:39 AST, "Claussen, Ken" <kclausse@columbus.rr.com> wrote: > 206.47.x.x has attempted to access a port (type 3, code 3) on a remote host, > 211.233.58.115. That port was either closed or not in use on the remote host > and it has sent an ICMP (Intenet Control Messaging Protocol) message type 3 > (Host Unreachable) Code 3 (Port Unreachable) in response. These messages are > quite frustrating, because unless you are logging ALL traffic it is near > impossible to determine what caused this message or what port they were > attempting to access on the remote host. This message is simply > informational and is intended to tell the host attempting to connect that it > should not continue attempting because that port is not in use. If the > message was "Administratively Prohibited" (packet filtered) then I would be > much more concerned someone had malicious intent. Either way the person from > your network is attempting to access someone else's resources. If it > violates there security policy then you will probably receive notification > about it from their admin. That is the normal explanation for the receipt of a 3/3 code - your site has tried to connect to a port that is closed. Certainly indicates nothing malicious from the outside and maybe not caused by anything malicious from your site. But there are other explanations. Someone could be sending the 3/3 code unsolicited. That would represent an attack or probe of some type. I'm not aware of any known vulnerabilities to ICMP 3/3, but there may be an unpublicized one. (3/3 actually wouldn't be a very good probe - there should never be a response from your site to the originator of this type of ICMP message.) Tony Rall _______________________________________________ Firewalls mailing list Firewalls@lists.gnac.net http://lists.gnac.net/mailman/listinfo/firewalls